[Moin-user] Moinmoin security and exploits
tw-public at gmx.de
Wed Oct 5 02:26:11 EDT 2005
> more about moin's security. I notice that Twiki has a security page
> with security alerts and fixes
> (http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlerts). Is there
> anything like that for moinmoin?
We didn't have reason yet to make such a page.
But I think in case of a severe security issue in a current moin
release, you would find something on MoinMoin:FrontPage and soon after a
new release on Sourceforge.
> I general, I need to know what moin's vulnerabilities are and what steps
> I need to take to guard against them.
We rarely make use of external tools and shell calls, so that kind of
problem is quite improbable.
In general, it is a good idea to run services on a low priviledge level
and with separate users. And to have backups, of course.
> I would assume that Python would have security issues as well?
The buffer overflow problems often leading to exploits in C code can't
happen in moin code, because it is Python and in Python buffers do not
overflow, they just grow.
But as the Python interpreter and some of its libraries are implemented
in C, buffer overflows CAN happen THERE (if there is a bug), but those
issues are VERY rare.
I think I remember only 1 or 2 security issues in Python or its libs in
the last years and afaik moin never was affected.
The problems moin had a few times were mostly on a higher level, e.g.
ACLs not working in special cases or privacy issues, so you could see a
wiki page you shouldn't or an email address of somebody who might not
wanted it published.
Sometimes, this was due to bugs, sometimes rather due to old code that
wasn't written with privacy in mind.
More information about the Moin-user